[The] Process concerned with the identification, measurement, control, and minimization of security risks in information systems to a level commensurate with the value of the assets protected. [INFOSEC-99]